Wikipedia:WikiProject on open proxies/Requests/Archives/47
This is an archive of past discussions on Wikipedia:WikiProject on open proxies. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current main page. |
204.15.72.92
{{proxycheckstatus}}
- 204.15.72.92 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: This is an anonymizing proxy [1] EnPassant♟♙ (talk) 16:37, 20 July 2022 (UTC)
- In progress --Blablubbs (talk) 17:43, 20 July 2022 (UTC)
- The /21 is a Confirmed webhost (Multacom), plus a bunch more that I haven't quite finished working through yet, see my log. Closing, thanks for the report. --Blablubbs (talk) 18:04, 20 July 2022 (UTC)
125.166.12.128
{{proxycheckstatus}}
- 125.166.12.128 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: The socks4://103.144.209.98:3629
way for using the open proxy no longer works, and I was unable to find a different one. Martin Urbanec (talk) 09:34, 24 February 2022 (UTC)
- Nothing immediately visible – I switched it over to a softblock. --Blablubbs (talk) 23:11, 4 August 2022 (UTC)
105.112.29.144
{{proxycheckstatus}}
- 105.112.29.144 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Mobile network, could do with softening. - RichT|C|E-Mail 00:38, 22 July 2022 (UTC)
- Done. --Blablubbs (talk) 23:18, 4 August 2022 (UTC)
124.122.70.184
{{proxycheckstatus}}
- 124.122.70.184 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: per IPQualityScore. Thibaut (talk) 10:37, 30 June 2022 (UTC)
- Should this be closed? IP was blocked as a proxy yesterday. ☆ Bri (talk) 16:47, 4 July 2022 (UTC)
- Closing - it appears to be a residential proxy (malware) but I'm not sure how dynamic it is. GeneralNotability (talk)`
- Should this be closed? IP was blocked as a proxy yesterday. ☆ Bri (talk) 16:47, 4 July 2022 (UTC)
141.95.17.140
{{proxycheckstatus}}
- 141.95.17.140 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: OVH VPS IP. For VPN/OP use - IPalyzer - RichT|C|E-Mail 02:41, 2 August 2022 (UTC)
- Confirmed, blocked the /22. I'd usually go wider than that but OVH is pretty bad at labeling ranges, so I'm rather wary of collateral. Closing, thanks for the report. --Blablubbs (talk) 23:17, 4 August 2022 (UTC)
93.189.6.34
{{proxycheckstatus}}
- 93.189.6.34 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Static web proxy,[2] abused for vote-stacking. CharlesWain (talk) 05:51, 5 August 2022 (UTC)
- In progress --Blablubbs (talk) 08:29, 5 August 2022 (UTC)
- As Confirmed as they come. I've blocked the following ranges belonging to real-hosts:
- Plus a bunch of ranges on the same ASN. Closing, thanks for the report. --Blablubbs (talk) 08:39, 5 August 2022 (UTC)
- As Confirmed as they come. I've blocked the following ranges belonging to real-hosts:
223.25.61.236
{{proxycheckstatus}}
- 223.25.61.236 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: suspicious edits at article recently abused by LTA & spur reports callback proxy ☆ Bri (talk) 15:18, 2 July 2022 (UTC)
- Not currently an open proxy. Since residential proxies often rotate quickly, it is possible it was a proxy when you reported, and it stopped acting as one now. Closing without action. MarioGom (talk) 19:35, 25 August 2022 (UTC)
90.167.174.0/24 and 90.167.177.0/24
{{proxycheckstatus}}
- 90.167.174.127 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 90.167.174.146 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 90.167.174.178 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 90.167.177.99 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 90.167.177.173 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 90.167.177.177 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: The individual IPs listed above appear to be activity of some LTAs in the beauty pageant space in the last ten days, with the exception of one active in May and the first address which was active late last year. Just wanted a quick check on these for proxy use. The editing follows the pattern of LTAs believed to be in Southeast Asia, with topics related to that geography, not Basque region consistent with geolocation. ☆ Bri (talk) 18:41, 5 July 2022 (UTC)
- Inconclusive. Given the pattern you describe, it might be possible there's some proxy hopping around 90.167.160.0/19 · contribs · block · log · stalk · Robtex · whois · Google, but I saw no technical evidence. Looking at activity in Spanish Wikipedia, it looks like a crowded range with actual activity from Spain (some vandalism, maybe some school, but it looks activity not coming from a proxy). Closing without action. I would suggest reporting elsewhere for vandalism if disruption continues. MarioGom (talk) 11:20, 26 August 2022 (UTC)
83.137.6.163
{{proxycheckstatus}}
- 83.137.6.163 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Looks to belong to a mobile operator, Lycamobile, could be softened? - RichT|C|E-Mail 18:53, 16 August 2022 (UTC)
- The IP was a P2P proxy at the time of the block. The block expired already. You can see some more info at {{Blocked p2p proxy}}. Closing. MarioGom (talk) 11:22, 26 August 2022 (UTC)
85.140.0.0/21
{{proxycheckstatus}}
Reason: A fairly active Russian ISP that's looking like a proxy network. Blocked from talk space for two years. Every IP in the contribution history that I’ve checked is flagged by Spur as belonging to a call-back proxy network and as a 'possible proxy'. Malcolmxl5 (talk) 12:51, 17 August 2022 (UTC)
- Russia is a proxy hotbed, so it's not unlikely that there are some floating around on that range; the spur flags are mostly non-concerning in a Wikipedia context, though some signs point towards botnet activity. A Shodan check on the range doesn't reveal anything out of the ordinary, so I don't have anything specific to hone in on, and I can't see any clear indication that there are proxies on that range that are being abused on Wikipedia. Closing. --Blablubbs (talk) 13:02, 17 August 2022 (UTC)
45.136.197.235
{{proxycheckstatus}}
- 45.136.197.235 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: A datacenter IP belonging to M247 AS9009. Flagged up as a VPN by proxycheck.io and IPQS. Flagged as a non-residential IP by IPHub. Shodan shows multiple open ports. -- Malcolmxl5 (talk) 18:31, 27 September 2022 (UTC)
- Rangeblocked because M247. GeneralNotability (talk) 02:40, 30 September 2022 (UTC)
8.243.113.50
{{proxycheckstatus}}
- 8.243.113.50 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Shodan states the IP is running a MicroTik HTTP proxy, and IPQualityScore reports that it's both a proxy and been mail spam blocklisted in the past. Proxycheck.io states that it might be a compromised server. Editor currently using it seems to be the same one reported above by Malcolmxl5. Sideswipe9th (talk) 02:23, 30 September 2022 (UTC)
- Proxy blocked for two years by GeneralNotability. --Malcolmxl5 (talk) 05:53, 30 September 2022 (UTC)
84.54.13.148
{{proxycheckstatus}}
- 84.54.13.148 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Datacenter IP flagged up by GetIPIntel and IPQS. Shodan shows multiple open ports. -- Malcolmxl5 (talk) 13:33, 30 September 2022 (UTC)
- Confirmed webhost. Blocked along with a couple others. Closing, thanks for the report. --Blablubbs (talk) 13:52, 30 September 2022 (UTC)
31.192.235.50
{{proxycheckstatus}}
- 31.192.235.50 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Datacenter IP flagged by IPQS. Shodan shows multiple open ports. -- Malcolmxl5 (talk) 13:40, 30 September 2022 (UTC)
- The entire /21 is profitserver.ru as far as I can tell. Blocked. There's some more potential ranges at Special:Permalink/1113240321, but it looks like it might be a little messy and I don't have the time for a deep dive right now. Closing, thanks for reporting. --Blablubbs (talk) 14:02, 30 September 2022 (UTC)
193.163.116.5
{{proxycheckstatus}}
- 193.163.116.5 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Editor is engaged in an edit war on two articles, and is almost certainly related to the 8.243 and 45.136 editors Malcolmxl5 and I have reported previously. Shodan shows the IP as running a MikroTik HTTP proxy and a PPTP endpoint, and both ProxyCheck and IPQualityScore concurr. Spur lists a few other proxies available through it, so it may be a compromised endpoint. Sideswipe9th (talk) 22:07, 30 September 2022 (UTC)
- Confirmed Open proxy,
http://193.163.116.5:8080
. Concur compromise is somewhat likely. Will block in a second, thanks for the report. --Blablubbs (talk) 22:20, 30 September 2022 (UTC)- Had a look at the page history, and I'll add as equally Confirmed (http/8080 again): 91.214.179.24 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan. --Blablubbs (talk) 22:36, 30 September 2022 (UTC)
- Huh. I was looking at that one, and was hesitating on the report only because the block request criteria involves abusive contributions. 91.214 was undoing the contributions of 84.54 which were abusive/edit warring and which had been blocked earlier. Possible good hand/bad hand maybe? Sideswipe9th (talk) 22:40, 30 September 2022 (UTC)
- @Sideswipe9th: Huh, I never noticed that bit in the report form. From my perspective, it's fine to report anything you credibly suspect to be an open proxy – WP:NOP allows for blocks to be made irrespective of what the contributions look like. I might raise that at WT:WPOP when I have a minute. GHBH is one option (and I'd say a likely one given the occasional self-reverting on the same IP), though I suppose it could just be two people who both happen to be on proxy. For the record, 202.4.186.179 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan is one as well (http/80). --Blablubbs (talk) 22:47, 30 September 2022 (UTC)
- Nice one! I'll take another look at the current history at List of security hacking incidents, Timeline of Internet conflicts, and Cyber Anakin later, and see if there's any that've been missed. Those and a couple of the Anonymous related articles seem to be magnets for this sort of thing. Sideswipe9th (talk) 22:54, 30 September 2022 (UTC)
- @Sideswipe9th: Huh, I never noticed that bit in the report form. From my perspective, it's fine to report anything you credibly suspect to be an open proxy – WP:NOP allows for blocks to be made irrespective of what the contributions look like. I might raise that at WT:WPOP when I have a minute. GHBH is one option (and I'd say a likely one given the occasional self-reverting on the same IP), though I suppose it could just be two people who both happen to be on proxy. For the record, 202.4.186.179 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan is one as well (http/80). --Blablubbs (talk) 22:47, 30 September 2022 (UTC)
- Huh. I was looking at that one, and was hesitating on the report only because the block request criteria involves abusive contributions. 91.214 was undoing the contributions of 84.54 which were abusive/edit warring and which had been blocked earlier. Possible good hand/bad hand maybe? Sideswipe9th (talk) 22:40, 30 September 2022 (UTC)
- Had a look at the page history, and I'll add as equally Confirmed (http/8080 again): 91.214.179.24 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan. --Blablubbs (talk) 22:36, 30 September 2022 (UTC)
109.111.237.2
{{proxycheckstatus}}
- 109.111.237.2 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Related to the IP's I've reported previous. Editor is currently canvassing to an article that has seen recent disruption from a proxy hopping IP editor. Shodan states the IP is running MikroTik, and IP Quality Score lists it as both an open proxy and on one or more spam blocklists. I think this one is a public proxy and not a compromised host as a spot check on other IPs associated to the same domain (mediaworksit.net) also open proxy behaviour. Sideswipe9th (talk) 16:32, 3 October 2022 (UTC)
- I'd call this Possilikely (a mix between possible and likely), but no joy at this time. Closing without action for now, let's see if they edit again. --Blablubbs (talk) 17:55, 3 October 2022 (UTC)
217.28.41.156
{{proxycheckstatus}}
- 217.28.41.156 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: (Howdy, per a pm I got proxies apparently aren't supposed to be used for editing wikipedia, and need to be reported to [3]. I don't know them very well, and this IP is allowed to edit by the software unless perhaps it's shadowbanned so no one else sees its posts. Anyway could be a prank, I'm not sure, sorry if I'm wasting your time. I don't know what proof is needed, but it is accesible by using your browser's proxy settings, pm me on reddit and I'll forward detailed instructions) 217.28.41.156 (talk) 19:55, 3 October 2022 (UTC)
- Handled. --Blablubbs (talk) 12:40, 4 October 2022 (UTC)
185.210.127.72
{{proxycheckstatus}}
- 185.210.127.72 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Very likely the same editor as I've reported previously. IP is in a data centre, Shodan has an odd smattering of open ports, with port 443 returning a traefik SSL certificate. ProxyCheck states that it's a compromised server. Sideswipe9th (talk) 00:56, 4 October 2022 (UTC)
- Already blocked, so I didn't look closely. Seems likely though. --Blablubbs (talk) 12:36, 4 October 2022 (UTC)
119.76.142.254
{{proxycheckstatus}}
- 119.76.142.254 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Same editor as I've been reporting previously. Shodan results are negative for now, because it looks like they haven't scanned the IP before, however both IPQualityScore and Proxycheck.io flag it as a proxy, and IPQualityScore also notes that it is on one or more mail block lists. I can't tell from the data I have available if this is a compromised server, or an otherwise open proxy. Sideswipe9th (talk) 01:47, 6 October 2022 (UTC)
- Now blocked by Malcolmxl5. --Blablubbs (talk) 18:52, 6 October 2022 (UTC)
Sock proxies
{{proxycheckstatus}}
- 107.189.28.71 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 141.95.159.171 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 141.95.193.213 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Being used by sockpuppeteer User:Thakor Sumant Sinhji Jhala (exact same restoration of the master's WP:CASTE POVPUSH). Identified as VPNs by whatismyipaddress, spur, and shodan and the 107.189.0.0 and 19/141.95.0.0/16 ranges are already blocked on fa/es/nl/ru (incl. wikiquote)/zh wikis. Gotitbro (talk) 05:47, 4 October 2022 (UTC)
- Confirmed webhosts; I made some blocks, but there's most likely more to be found here and I don't have the time to look right now, so I'll leave this open. --Blablubbs (talk) 09:16, 4 October 2022 (UTC)
- Closed. MarioGom (talk) 22:27, 14 October 2022 (UTC)
212.114.28.126
{{proxycheckstatus}}
- 212.114.28.126 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Requested unblock. 212.114.28.126 (talk) 12:32, 7 October 2022 (UTC)
- Not done Likely IP is an open proxy Very likely a proxy/VPN, should remain blocked - RichT|C|E-Mail 12:35, 7 October 2022 (UTC)
- Well, the IP is not blocked, has never been blocked, on en.wiki so there is nothing to unblock here. -- Malcolmxl5 (talk) 20:38, 7 October 2022 (UTC)
- Closing. MarioGom (talk) 22:32, 14 October 2022 (UTC)
- Well, the IP is not blocked, has never been blocked, on en.wiki so there is nothing to unblock here. -- Malcolmxl5 (talk) 20:38, 7 October 2022 (UTC)
84.255.160.231
{{proxycheckstatus}}
- 84.255.160.231 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Listed as a proxy on IPQualityScore but nowhere else. Possibly a residential proxy running Polipo, but not well versed enough in proxies so requesting someone take a look. DatGuyTalkContribs 18:52, 8 October 2022 (UTC)
- Definitely a proxy of some kind. Blocked, closing. firefly ( t · c ) 10:53, 16 October 2022 (UTC)
88.229.20.147
{{proxycheckstatus}}
- 88.229.20.147 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Claims of using a botnet to target every page I edit (so expect it to target this one too). LilianaUwU (talk / contribs) 05:06, 16 October 2022 (UTC)
- Definitely a proxy of some kind. Blocked, closing. firefly ( t · c ) 10:53, 16 October 2022 (UTC)
188.163.102.57
{{proxycheckstatus}}
- 188.163.102.57 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Yet another of the Liliana-stalker's alleged botnet. —Jéské Couriano v^_^v a little blue Bori 05:34, 16 October 2022 (UTC)
- Definitely a proxy of some kind. Blocked, closing. firefly ( t · c ) 10:53, 16 October 2022 (UTC)
86.11.18.227
{{proxycheckstatus}}
- 86.11.18.227 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Yet another of the Liliana-stalker's alleged botnet. —Jéské Couriano v^_^v a little blue Bori 05:35, 16 October 2022 (UTC)
- Definitely a proxy of some kind. Blocked, closing. firefly ( t · c ) 10:53, 16 October 2022 (UTC)
2601:601:1501:22b0:470:2d23:30ce:95d2
{{proxycheckstatus}}
- 2601:601:1501:22b0:470:2d23:30ce:95d2 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · geo · rangeblocks · spur · shodan
Reason: Yet another of the Liliana-stalker's alleged botnet. —Jéské Couriano v^_^v a little blue Bori 05:36, 16 October 2022 (UTC)
- Definitely a proxy of some kind. Blocked, closing. firefly ( t · c ) 10:53, 16 October 2022 (UTC)
2604:2d80:8013:0:6cc0:fbfb:e758:afa5
{{proxycheckstatus}}
- 2604:2d80:8013:0:6cc0:fbfb:e758:afa5 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · geo · rangeblocks · spur · shodan
Reason: Yet another of the Liliana-stalker's alleged botnet. —Jéské Couriano v^_^v a little blue Bori 05:42, 16 October 2022 (UTC)
- Definitely a proxy of some kind. Blocked, closing. firefly ( t · c ) 10:53, 16 October 2022 (UTC)
76.99.205.164
{{proxycheckstatus}}
- 76.99.205.164 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Yet another of the Liliana-stalker's alleged botnet. —Jéské Couriano v^_^v a little blue Bori 05:59, 16 October 2022 (UTC)
- Definitely a proxy of some kind. Blocked, closing. firefly ( t · c ) 10:53, 16 October 2022 (UTC)
191.5.129.20
{{proxycheckstatus}}
- 191.5.129.20 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Yet another of the Liliana-stalker's alleged botnet. —Jéské Couriano v^_^v a little blue Bori 06:01, 16 October 2022 (UTC)
- Definitely a proxy of some kind. Blocked, closing. firefly ( t · c ) 10:53, 16 October 2022 (UTC)
104.172.137.183
{{proxycheckstatus}}
- 104.172.137.183 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Yet another of the Liliana-stalker's alleged botnet. —Jéské Couriano v^_^v a little blue Bori 06:10, 16 October 2022 (UTC)
- Definitely a proxy of some kind. Blocked, closing. firefly ( t · c ) 10:53, 16 October 2022 (UTC)
99.76.17.132
{{proxycheckstatus}}
- 99.76.17.132 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Yet another of the Liliana-stalker's alleged botnet. —Jéské Couriano v^_^v a little blue Bori 06:13, 16 October 2022 (UTC)
- Definitely a proxy of some kind. Blocked, closing. firefly ( t · c ) 10:53, 16 October 2022 (UTC)
2604:2D80:4014:3:6828:BBE8:648C:912C
{{proxycheckstatus}}
- 2604:2D80:4014:3:6828:BBE8:648C:912C · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · geo · rangeblocks · spur · shodan
Reason: Yet another of the Liliana-stalker's alleged botnet. —Jéské Couriano v^_^v a little blue Bori 06:17, 16 October 2022 (UTC)
- Definitely a proxy of some kind. Blocked, closing. firefly ( t · c ) 10:53, 16 October 2022 (UTC)
184.105.1.61
{{proxycheckstatus}}
- 184.105.1.61 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Datacenter IP belonging to Seiontec Systems via Hurricane Electric. Flagged by IPQS. Shodan shows multiple open ports. Malcolmxl5 (talk) 12:47, 3 October 2022 (UTC)
- Request withdrawn. I’ll withdraw this, I think, as Shodan is no longer showing open ports. -- Malcolmxl5 (talk) 01:09, 22 October 2022 (UTC)
192.176.203.16
{{proxycheckstatus}}
- 192.176.203.16 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Flagged as proxy by IPHub. Firestar464 (talk) 03:45, 6 October 2022 (UTC)
- Globally blocked until April. Closing. --Malcolmxl5 (talk) 01:01, 22 October 2022 (UTC)
Residential proxy IPs
{{proxycheckstatus}}
Anonblocked IPs:
- 2601:601:1501:22b0:470:2d23:30ce:95d2 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · geo · rangeblocks · spur · shodan
- 76.99.205.164 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 86.11.18.227 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 191.5.129.20 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 104.172.137.183 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 99.76.17.132 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 2604:2D80:4014:3:6828:BBE8:648C:912C · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · geo · rangeblocks · spur · shodan
- 191.243.126.33 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 99.76.17.163 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Short-term blocked IPs:
- 88.229.20.147 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 149.34.219.31 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 90.16.156.188 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 2806:10A6:10:974A:8092:66B0:E255:155E · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · geo · rangeblocks · spur · shodan
- 76.71.110.46 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 2804:46DC:421:ED5B:94FB:2908:4FEF:D0E9 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · geo · rangeblocks · spur · shodan
- 108.51.51.254 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 2A02:842B:46D:3B01:59E5:7842:415:FAEE · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · geo · rangeblocks · spur · shodan
- 2600:4040:716D:B400:6413:F4DC:645A:EC55 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · geo · rangeblocks · spur · shodan
Proxy-blocked but only for 1 week:
- 188.163.102.57 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 84.255.160.231 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Unblocked IP:
- 2804:37D4:B02:DB01:F1D7:EF9B:51CE:A531 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · geo · rangeblocks · spur · shodan
Reason: The above lists are IPs are part of several residential proxy IP services per data on Spur. No Shodan info on this, but residential proxies don't generally show up via a port-scan. First list have been {{anonblocked}} for a week, second list are IPs who have been blocked for a short period (36-48 hours), third list are IPs who have been proxy blocked for a week. Final list is an IP that hasn't been blocked yet. All were involved in the harassment reported last night. There was also 5 other IPs I've identified that were part of the same harassment and vandalism spree, but have been given longer 1 or 3 month proxyblocks. I'm filing to get the shorter term blocks upgraded to longer term ones if confirmed. Sideswipe9th (talk) 20:35, 16 October 2022 (UTC)
- Sideswipe9th Residential proxy pools have dozens of thousands of IPs (some claim millions). Blocking this kind of proxy for too long does more harm than good. It is generally better to report these somewhere else like WP:AIV. Closing without action. MarioGom (talk) 21:54, 16 October 2022 (UTC)
Possible proxies targeting established users
{{proxycheckstatus}}
- 116.50.174.237 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 67.141.66.250 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 2a02:8108:59c0:1820:c4af:3226:745c:99be · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · geo · rangeblocks · spur · shodan
- 190.196.61.146 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 116.50.174.237 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 84.54.86.108 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
In the last few days there has been a bout of talk page vandalism targeting established users. I did a quick investigation of some of the IPs doing this vandalism, and found out that these IPs had a very spread-out geographic distribution. This, combined with the sheer volume and frequency of this vandalism, suggests that some of these IPs may be proxies. For more details, please see User talk:Tamzin#Could you please open this SPI? 2601:647:5800:4D2:6D83:51CA:4F67:548 (talk) 00:30, 22 October 2022 (UTC)
- Yes, these were very probably proxies. The nature of these kind of proxies are that they are short lived so it's not worth doing anything unless they are active and then to only block them for a week or two. All of these were blocked at the time, some are still blocked. They are all now stale, three or four days old. There's nothing more to do here, I think, except to advise sending future ones to AIV for action. -- Malcolmxl5 (talk) 00:57, 22 October 2022 (UTC)
- I agree with Malcolmxl5. Closing. MarioGom (talk) 20:09, 30 October 2022 (UTC)
185.104.136.53
{{proxycheckstatus}}
- 185.104.136.53 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Am VPN public wifi in a bus185.104.136.53 (talk) 15:25, 24 October 2022 (UTC)
- A public wifi is not a VPN. Nothing to do here. Closing. MarioGom (talk) 20:07, 30 October 2022 (UTC)
From the 185.5.48.* range & a couple of others
{{proxycheckstatus}}
- 185.5.48.132 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 185.5.48.139 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 185.5.48.148 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 185.5.48.152 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 185.5.48.16 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 185.5.48.167 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 185.5.48.25 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 185.5.48.3 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 185.5.48.45 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 185.5.48.8 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 195.158.74.54 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 217.71.190.230 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: All these IP addresses appear to be in Malta. The disruptive (except 185.5.48.148) edits from these IP address seem to be focused on women's history mostly with respect to armed combat.
ST47ProxyBot has blocked 185.5.48.142, 185.5.48.153, 185.5.48.155, 185.5.48.158, 185.5.48.159.
We have a persistent disruptive editor who seems to be switching IP address. See https://wiki.riteme.site/w/index.php?title=Women_in_piracy&action=history for an example of four of the above addresses in the 185.5.48.* range just for today alone. 217.71.190.230 appears earlier in the edit history.
I would recommend looking at 185.5.48.0–185.5.48.255. There seems to be no edits whatsoever from 185.5.48.50–185.5.48.128 (I sampled approximately 1 out of 3). With the exception of that range, I went through the remainder of 185.5.48.0–185.5.48.189. Other than the editing from the list of IPs that I provide, most edits seem to center around football (soccer). Peaceray (talk) 17:24, 24 October 2022 (UTC)
- 185.5.48.0/24 has been blocked for one month for disruptive editing, which seems to take care of that. The other IPs are already blocked. -- Malcolmxl5 (talk) 22:52, 24 October 2022 (UTC)
- That still leaves open the question as to whether or not these are open proxies. Clicking on the spur links above for the ten 185.5.48.0/20 IP addresses brings back a message for each of them that is essentially:
185.5.48.XX - Possible Proxy; 185.5.48.XX belongs to a call-back proxy network. This means legitimate devices are unwittingly routing automated activity through their internet connection. This is likely a mix of anonymous activity and normal activity.
- Peaceray (talk) 05:27, 25 October 2022 (UTC)
- That all these IPs geolocates to one place, Malta, suggests to me that proxy use is not an issue here. In any case, those types of proxies are empheral and are typically only blocked for one or two weeks. Better to deal with this as disruptive editing imo. -- Malcolmxl5 (talk) 00:31, 26 October 2022 (UTC)
- On the merits of blocking this type of suspected proxy, I dunno. Global policy is that we should block all proxies, which would include residential proxies, when they are confirmed. While there is a discussion on this relating to collateral damage, there doesn't yet seem to be a consensus to change policy because of this. Though that may become moot if certain things come to pass.
- While I suspect that a significant amount of a certain type of vandalism would greatly diminish, if not vanish entirely, were we to block all confirmed residential proxies, I do recognise that it would have a fair amount of collateral damage, especially amongst those potential editors who may not realise their connection is being used/misused by a proxy provider. I dunno if there is a right answer to this to be honest. Sideswipe9th (talk) 00:51, 26 October 2022 (UTC)
- Note that residential proxy users generally hop between completely different ranges. The recurrence of ranges in this report suggest that a residential proxy is not being used. MarioGom (talk) 20:05, 30 October 2022 (UTC)
- That all these IPs geolocates to one place, Malta, suggests to me that proxy use is not an issue here. In any case, those types of proxies are empheral and are typically only blocked for one or two weeks. Better to deal with this as disruptive editing imo. -- Malcolmxl5 (talk) 00:31, 26 October 2022 (UTC)
- There's nothing else to do here in terms of proxy blocking. ST47ProxyBot will do its thing for a particular type of P2P proxy. Manually blocking other proxies that might (or might not) be in use here is generally useless. If disruption continues at Women in piracy, requesting page protection at WP:RFPP will be much more effective. Closing. MarioGom (talk) 20:03, 30 October 2022 (UTC)
152.32.104.49
{{proxycheckstatus}}
- 152.32.104.49 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: CONVERGE-ICT proxy, making similar edits to 152.32.112.184 (talk · contribs · WHOIS), which is in the same range and blocked for being a proxy. Yeeno (talk) 03:25, 25 October 2022 (UTC)
- Inconclusive. ST47ProxyBot will automatically block as needed if it's the same type of P2P proxy at some point. Closing without action. MarioGom (talk) 19:56, 30 October 2022 (UTC)
45.167.1.43
{{proxycheckstatus}}
- 45.167.1.43 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: suspicious edits in sockfarm infested pageants space, IPQualityScore comes through as 100% fraudulent, proxy ☆ Bri (talk) 04:22, 16 September 2022 (UTC)
- Unlikely IP is an open proxy. Not impossible, but I see no technical signal suggesting it is a proxy. Closing. MarioGom (talk) 22:39, 17 November 2022 (UTC)
124.246.93.199
{{proxycheckstatus}}
- 124.246.93.199 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Suspicious edits Beyond My Ken (talk) 05:00, 17 November 2022 (UTC)
- Unlikely IP is an open proxy - it looks like a regular mobile IP. I see no evidence of proxies here. Closing.
211.222.3.1
{{proxycheckstatus}}
- 211.222.3.1 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Probable open proxy/zombie proxy. According to Shodan data has a MikroTik proxy on port 80, and a vulnerable PPTP endpoint on port 1723. Likely the same editor who has removed my last proxy report, though it was acted on by Ponyo. Sideswipe9th (talk) 23:47, 17 November 2022 (UTC)
- IP was proxy blocked by Ponyo shortly after making this report. Sideswipe9th (talk) 23:50, 17 November 2022 (UTC)
24.199.90.246
{{proxycheckstatus}}
- 24.199.90.246 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
- 24.199.80.148 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: this IP belongs to a web host (Digitalocean). M.Bitton (talk) 22:58, 15 November 2022 (UTC)
- Please see the IP from the same range below. M.Bitton (talk) 23:08, 15 November 2022 (UTC)
- If this list is anything to go by, then blocking "24.199.64.0/18" should take care of this IP and the one listed above it. M.Bitton (talk) 23:08, 15 November 2022 (UTC)
- Merged both cases. MarioGom (talk) 22:35, 17 November 2022 (UTC)
- Awaiting administrative action - Please, consider blocking 24.199.64.0/18 · contribs · block · log · stalk · Robtex · whois · Google as a webhost. Thank you. MarioGom (talk) 22:34, 17 November 2022 (UTC)
- Requested actions completed, closing. --Blablubbs (talk) 22:31, 3 December 2022 (UTC)
45.159.248.157
{{proxycheckstatus}}
- 45.159.248.157 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Likely a proxy/compromised server per ipcheck Yeeno (talk) 06:03, 21 November 2022 (UTC)
- Webhostblocked the /24. Closing. --Blablubbs (talk) 22:33, 3 December 2022 (UTC)
185.225.191.153
{{proxycheckstatus}}
- 185.225.191.153 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: (IP address whois lookup returns to a Service offering Dedicated Servers (Mevspace) ) Matthew Tyler-Harrington (aka mth8412) (talk) 21:40, 29 November 2022 (UTC)
- Likely IP is an open proxy. The range (/24) is a data center. Probably a compromised MikroTik server, likely being used as a proxy. Please, consider a block for this IP. Thank you. MarioGom (talk) 10:18, 4 December 2022 (UTC)
- Blocked the range. GeneralNotability (talk) 00:15, 6 December 2022 (UTC)
163.123.172.0/24
{{proxycheckstatus}}
Reason: Datacenter / Webhost / Colocation center TheManInTheBlackHat (talk) 18:27, 30 November 2022 (UTC)
- Not currently an open proxy Enterprise VPN(-like?) solution, not open. —Mdaniels5757 (talk • contribs) 21:40, 4 December 2022 (UTC)
5.199.171.135
{{proxycheckstatus}}
- 5.199.171.135 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Obviously, a VPN from Lithuania. SpinnerLaserzthe2nd (talk) 08:44, 3 December 2022 (UTC)
- Confirmed. The IP is a TunnelBear VPN exit (see spur, shodan). The range (/22) is soft-blocked as a webhost, but this IP could use a hard block. Thank you. MarioGom (talk) 10:18, 4 December 2022 (UTC)
- @MarioGom: I'm inclined to just harden the block on the /22 – are you seeing anything that would discourage that? --Blablubbs (talk) 16:39, 5 December 2022 (UTC)
- Blablubbs: No, I think that's fine too. MarioGom (talk) 16:41, 5 December 2022 (UTC)
- Done, closing. --Blablubbs (talk) 16:44, 5 December 2022 (UTC)
- Blablubbs: No, I think that's fine too. MarioGom (talk) 16:41, 5 December 2022 (UTC)
- @MarioGom: I'm inclined to just harden the block on the /22 – are you seeing anything that would discourage that? --Blablubbs (talk) 16:39, 5 December 2022 (UTC)
196.44.39.130
{{proxycheckstatus}}
- 196.44.39.130 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Just abused by Bugmenot123123123 (talk · contribs · deleted contribs · logs · filter log · block user · block log) who block-evades primarily through open proxies (see User talk:Softlemonades#Break for more details on this sockmaster if needed). Note IP has already been blocked for 31 hours, but I'm leaving this open for further investigation since a longer block will be needed if it's an open-proxy as I suspect. 74.73.224.126 (talk) 15:53, 5 December 2022 (UTC)
- Possible IP is an open proxy at best. —Mdaniels5757 (talk • contribs) 19:13, 5 December 2022 (UTC)
- @Mdaniels5757: stalktoy shows it's been blocked by QBA-bot as an open-proxy on two wikis. To me that suggests at least Likely. That said logged-out abuse is minimal thus far so I understand if you're not yet comfortable blocking. 74.73.224.126 (talk) 03:07, 6 December 2022 (UTC)
- Yes, but IPcheck shows nothing suggesting it's a proxy, an nmap scan shows nothing but a firewall, and review of the associated hostname shows it's associated with a vehicle traffic management company. I really don't see any evidence other than the other wiki's block that this is an open proxy. Because I'm not sure what the block on ruwiki and ruwikiquote are based on and you seem quite sure, I'll reopen this for a second opinion, but I really don't see anything that suggests someone else's opinion will be different. —Mdaniels5757 (talk • contribs) 03:32, 6 December 2022 (UTC)
- Well let's ping Q-bit array, the bot-op responsible for the block, for additional input. 74.73.224.126 (talk) 03:46, 6 December 2022 (UTC)
- Hello! According to my bot's logs, the IP was recognized as a proxy by proxycheck.io. I have an extended paid subscription there, so it tends to detect more than the free version of the service. P.S.: If your "proxy-loving" LTA used it recently then it's additional strong evidence that it's a proxy (or he's currently on vacation in the South Africa, which is not that likely). -- Q-bit array (talk) 07:11, 6 December 2022 (UTC)
- @Mdaniels5757 this IP is likely part of a residential proxy network. Those don't tend to show up on a port scan through nmap or Shodan, so you need to check other services like IPQualityScore or Spur. Sideswipe9th (talk) 05:44, 6 December 2022 (UTC)
- Spot on. This is a cheap residential proxy service that is frequently used by LTAs these days. These use highly rotating and dynamic IPs, so they are usually not re-used. Closing without action. If an admin considers a block, it should be a short one. MarioGom (talk) 09:41, 9 December 2022 (UTC)
- Well let's ping Q-bit array, the bot-op responsible for the block, for additional input. 74.73.224.126 (talk) 03:46, 6 December 2022 (UTC)
- Yes, but IPcheck shows nothing suggesting it's a proxy, an nmap scan shows nothing but a firewall, and review of the associated hostname shows it's associated with a vehicle traffic management company. I really don't see any evidence other than the other wiki's block that this is an open proxy. Because I'm not sure what the block on ruwiki and ruwikiquote are based on and you seem quite sure, I'll reopen this for a second opinion, but I really don't see anything that suggests someone else's opinion will be different. —Mdaniels5757 (talk • contribs) 03:32, 6 December 2022 (UTC)
- @Mdaniels5757: stalktoy shows it's been blocked by QBA-bot as an open-proxy on two wikis. To me that suggests at least Likely. That said logged-out abuse is minimal thus far so I understand if you're not yet comfortable blocking. 74.73.224.126 (talk) 03:07, 6 December 2022 (UTC)
192.168.4.127
{{proxycheckstatus}}
- 192.168.4.127 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Would like to edit articles at school but this might not be a good choose because of the chance that my fellow classmate will abuse this privilege please do what you think is right. Aidan_duckapple (talk) 18:37, 5 December 2022 (UTC)
- @Aidan glendenning: It sounds like you want to edit through a blocked proxy. If so, please see WP:IPECPROXY for instructions. Either way, we cannot check the IP you provided because it is a private/local IP. Please ping me and reply here if you have any questions. —Mdaniels5757 (talk • contribs) 19:21, 5 December 2022 (UTC)
- Closing. MarioGom (talk) 23:33, 12 December 2022 (UTC)
185.123.53.37
{{proxycheckstatus}}
- 185.123.53.37 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: the IP belongs to a hosting provider (BlueVPS). M.Bitton (talk) 16:00, 10 December 2022 (UTC)
- 185.123.53.0/24 · contribs · block · log · stalk · Robtex · whois · Google is now blocked. Closing. — Preceding unsigned comment added by MarioGom (talk • contribs) 23:33, 12 December 2022 (UTC)
113.211.209.148
{{proxycheckstatus}}
- 113.211.209.148 · talk · contribs · block · log · stalk · Robtex · whois · Google · ipcheck · HTTP · geo · rangeblocks · spur · shodan
Reason: Please check stalk toy, this is a P2P open proxy. Lemonaka (talk) 15:08, 28 December 2022 (UTC)
- Closing without action. No need for any manual action here. ST47ProxyBot blocks these P2P proxies regularly, and it adjusts block periods to mitigate collateral damage. MarioGom (talk) 18:59, 5 January 2023 (UTC)